Website security is as important as your content and SEO, and one should do whatever it takes to keep the online business safe and secure. There are multiple approaches to tightening your WordPress; however, following you will learn the practical ideas which I do, and I hope it will be helpful to you.
Brute Force attack is one of the old techniques to constantly try to get into the WordPress admin with many user/password combination. By going passwordless, you are not leaving any option for a hacker to attempt a login. Wondering how does it work?
Let me show you.
The default WordPress login window looks like:
When you go passwordless, you will not have the option to enter the user and password; instead, you will need to authenticate with your phone. It’s simple and convenient.
When things go wrong, and nothing works, then, a backup will come for a rescue.
There could be many things go wrong with the following.
Messed up with the configuration
Files got deleted
Website got hacked
You installed some plugin and then site broken
Site is broken after updating WordPress/Theme/Plugins
If you are unable to fix or taking a long time to put your online business operational, then you can consider restoring your website from the backup.
Most of the WP hosting platform provides daily backup, so you are okay. However, if you are with some other web hosting, then you may want to check the backup they provide.
If you are on VPS like DIgitalOcean or Linode, then the backup is not enabled by default, and they charge around 20% of your VPS plan. So if you are on a $10 plan, you need to pay an additional $2 for the backup.
Trust me; it’s worth it. There were many situations when I had no option than restoring Geekflare from the backup.
If you are hosting on a cloud-like AWS, Google Cloud, then you must consider taking snapshots regularly or use a third-party backup tool. If you have a backup with web hosting, then I don’t see any reason to use the backup plugin, but in case you want, here are some of the popular free backup & restore plugins for WordPress.
Active installed over 2 million says a lot. Updraft Plus lets you backup your website data in a cloud-like Amazon S3, Google Drive, Dropbox, FTP, etc.
Whenever you need to restore, you are just a click away.
BlogVault is a premium plugin and trusted by more than 400,000 sites owner. Some of the features include the following.
Automatic real-time backup and archive for 365 days
One-click staging site and recovery
Use for migration
Don’t settle anything less than a daily backup.
Use WAF/Security Plugin
The default WordPress installation may expose configuration/information and can be vulnerable if not harden properly. There are many security-related plugins available, so pick what you like but ensure it cover the following.
Change Admin URL – WordPress admin is accessible by default as wp-login.php, and the whole world knows about it.
So if you know a site is built on WordPress, then you can try to access the admin URL by adding wp-login.php and do the nasty things in trying to get into, etc. It will be a good idea to change the admin URL from wp-login.php to something else.
Spam Protection – don’t let your site get full of spam comments, emails.
Implement Security HTTP Header – protect from clickjacking, secure cookie, XSS attack, etc. by injecting necessary parameters in HTTP response headers.
Let’s take a look at the top security plugins.
Wordfence is loved by over three million websites and has tons of features, including the following.
iThemes, a premium security solution. It helps you to protect your website from more than 30 types of attacks.
The configuration is easy, and it offers comprehensive security protection.
Shield a.k.a. WordPress Simple Firewall is awesome and gives you almost everything you need for FREE.
I have used this plugin and love the dashboard and comprehensive features — worth giving a try.
Use Cloud-based Security
Security/firewall by WordPress plugin is good, but it’s still within WordPress and protection starts when the request reaches to WordPress.
If you are looking to have additional protection, then you must consider using cloud-based security. Security from cloud protects and block the attackers from the edge of the network. Most of the cloud-based security provider also offers you a CDN (Content Delivery Network) to make your website load faster.
Some of the popular CDN & Security providers are:
One of the industry leaders in providing website security and high-performing CDN for better performance and security.
SUCURI offers dual benefits – security and performance with single pricing. Protection against OWASP top 10 vulnerabilities, DDoS, WordPress specific threats, brute force attacks, and a lot more.
The list won’t be complete without including Cloudflare. One of the most popular CDN & Security providers to make your website secure and speedy.
Take a look at the plan details for features comparison — some of the worth mentioning features of Cloudflare.
SUCURI says 55% of an infected website had out-of-date WordPress.
Having an old version of WordPress, plugin, a theme may be vulnerable, and as a best practice, you should keep an eye on the vulnerable plugins and patch on priority. You may subscribe to the WP Scan Vulnerability Database for an email alert, so you know if used plugin/WordPress/theme are vulnerable.
Security is an on-going process instead of a one-time setup and forget it. Sometimes it is better to offload the headache to the expert by going for a premium solution. If you can do the above by yourself, then it is good else you may consider a managed WordPress hosting provider like Kinsta.
As the founder of Geekflare, I’ve helped millions to excel in the digital realm. Passionate about technology, I’m on a mission to explore the world and amplify growth for professionals and businesses alike.